Attachment: Soda PDF producer with encryption themes
Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.
Sublime rule (View on GitHub)
1name: "Attachment: Soda PDF producer with encryption themes"
2description: "Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 .file_extension == "pdf"
9 // observed producer
10 and any(file.explode(.), .scan.exiftool.producer == "Soda PDF")
11 and any(file.explode(.),
12 // OCR contains "encryption" themes
13 (
14 strings.icontains(.scan.ocr.raw, "has been encrypted")
15 or strings.icontains(.scan.ocr.raw, "encrypted pdf file")
16 or strings.icontains(.scan.ocr.raw, "is secured by")
17 )
18 // mentions a PDF
19 and strings.contains(.scan.ocr.raw, "PDF")
20 )
21 )
22
23
24attack_types:
25 - "Credential Phishing"
26tactics_and_techniques:
27 - "PDF"
28 - "Social engineering"
29detection_methods:
30 - "File analysis"
31 - "Optical Character Recognition"
32id: "af8eeca4-825a-5118-bba0-ab62425a5fcb"